Merge pull request #20 from docker/3.4.0_11032022

3.4.0 11032022
docker · Nov 3, 2022 · 60cbd8e · 60cbd8e
2 parents 7907ff3 + 2b1f85e
commit 60cbd8e
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,8 +3,8 @@ FROM centos:centos7
 # Define args and set a default value
 ARG maintainer=tier
 ARG imagename=shibboleth_sp
-ARG version=3.3.0
-ARG TIERVERSION=20211202
+ARG version=3.4.0
+ARG TIERVERSION=20221103
 
 MAINTAINER $maintainer
 LABEL Vendor="Internet2"

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -17,6 +17,7 @@ node('docker') {
   stage 'Setting build context'
 
     def maintainer = maintainer()
+    def previous_maintainer = previous_maintainer()
     def imagename = imagename()
     def tag
 
@@ -58,16 +59,51 @@ node('docker') {
       sh "rm -f ./debug"
       handleError(message)
     }
+
+  stage 'Scan'
+
+    try {
+          // Install trivy and HTML template
+          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.31.1'
+          sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
+
+          // Scan container for all vulnerability levels
+          sh 'mkdir -p reports'
+          sh "trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${maintainer}/${imagename}:latest"
+          publishHTML target : [
+              allowMissing: true,
+              alwaysLinkToLastBuild: true,
+              keepAll: true,
+              reportDir: 'reports',
+              reportFiles: 'container-scan.html',
+              reportName: 'Security Scan',
+              reportTitles: 'Security Scan'
+          ]
+
+          // Scan again and fail on CRITICAL vulns
+          sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${maintainer}/${imagename}:latest"
+    } catch(error) {
+      def error_details = readFile('./debug');
+      def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+      sh "rm -f ./debug"
+      handleError(message)
+    }
 
   stage 'Stop container'
 
     sh 'bin/ci-stop.sh'
 
   stage 'Push'
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
+    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
           def baseImg = docker.build("$maintainer/$imagename", "--no-cache .")
           baseImg.push("$tag")
     }
+
+    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$previous_maintainer") {
+          def altImg = docker.build("$previous_maintainer/$imagename", "--no-cache .")
+          altImg.push("$tag")
+    }
+
 
   stage 'Notify'
 
@@ -79,6 +115,11 @@ def maintainer() {
   matcher ? matcher[0][1] : 'tier'
 }
 
+def previous_maintainer() {
+  def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
+  matcher ? matcher[0][1] : 'tier'
+}
+
 def imagename() {
   def matcher = readFile('common.bash') =~ 'imagename="(.+)"'
   matcher ? matcher[0][1] : null

diff --git a/common.bash b/common.bash
@@ -1,3 +1,4 @@
-maintainer="tier"
+maintainer="i2incommon"
+previous_maintainer="tier"
 imagename="shibboleth_sp"
-version="3.2.3"
+version="3.4.0"